For a session to be secure <i>all</i> requests that carry the cookie need to be over HTTPS.<p>When going to https://twitter.com/ I noticed that (among dozens of others) it requests URL http://twitter.com/scribe?[...] (note HTTP, not HTTPS) which includes the session cookie.<p>Hence, it's sent plain-text, even if you go to https://twitter.com/
If using FF, check out: HTTPS Everywhere ( <a href="https://www.eff.org/https-everywhere" rel="nofollow">https://www.eff.org/https-everywhere</a> )
or Force TLS ( <a href="https://addons.mozilla.org/en-US/firefox/addon/12714/" rel="nofollow">https://addons.mozilla.org/en-US/firefox/addon/12714/</a> )<p>For Chrome, note that EFF says: "...There is a Chrome extension called KB SSL Enforcer which attempts to take that approach, but it does not appear to be implemented securely; when we tested it, it seemed to always use http before https, which means that your surfing habits and authentication cookies are not protected (this may be a limitation of the Chrome Extensions framework)."<p>If using OS X, check out: <a href="http://github.com/nicksieger/sheepsafe" rel="nofollow">http://github.com/nicksieger/sheepsafe</a><p>Could also try using Comodo TrustConnect: <a href="http://www.comodo.com/trustconnect/" rel="nofollow">http://www.comodo.com/trustconnect/</a><p>But note for the latter that they keep logs of traffic:<p>"Q: I'm a cyber criminal myself and I'd like to use this service to do all of my dirty work: breaking into others' personal information, stealing credit cards, sending SPAM and breaking other laws. Will you tell?<p>A: Yes we will. We have logs of all system connections and will provide them to the proper authorities upon request. We're trying to eliminate the web of people like you, not help you do your dirty work."